Wednesday, January 1, 2014

What happened to security by design?

I have always warned those closest to me to never store the credit card information online because of the possibility of the information being stolen. In fact, if you think about it, the PS3 incident where the user IDs and passwords were stolen seem to be minor when compared to the latest incident where Target Corp's customers' ATM PINs were stolen.

True, the ATM PINs were encrypted but the question is why were the ATM PINs stored in Target's servers in the first place?

I have been taught never to store any card information or expiry date in the design of any system. This information should just be sent directly to the payment gateway and the information must not be stored on the merchant server as the possibility of the information being stolen will be detrimental to the company.

For those who wants to choose flexibility over security, do note what you're getting yourself into. Remember all these hacking, and defacement incidents this year? Always choose security over flexibility, and the needs to be incorporated into the design of any system early.

Remember, the real hackers are those who have gotten the information that they need but yet you're unaware of it. Those are the pros.